On 25th May 2018 new data protection laws known as GDPR come into force. Although these are European laws the Government has indicated that upon Brexit they will be replaced by similar legislation.

Under GDPR anyone responsible for processing an individual’s data is required to ensure that there is a lawful reason for collection and processing. Where consent is required it must be made freely and easy to retract. Only necessary data should be retained and only for as long as is required.

Cerberus has been working hard to prepare for this new legislation. We are committed to the highest standards of information security.

Nothing is changing about the way that you use our services. If you are a customer then we do not need to gather new consent to contact you, we already have a lawful basis. We will continue to update you as we do now.

We have updated our Privacy Notice and our Cookie Policy . Please follow the links to review these. Some contracts have been updated and you will be asked to sign the new agreements before placing further business.

Some of you have asked for more detail about what we are doing.

Data Controller & Processor
Under GDPR we are the Data Controller for data that we collect from our direct customers.

We also have resellers who collect data from their customers and provide some of that data to us in order to provide services for such customers. In this reseller scenario we may be considered a Processor, or Sub-Processor or even a Controller depending on the circumstances.

Some resellers have requested a specific Data Processor Agreement (in addition to our other Policies,Notices and/or Contracts). We have prepared a suitable agreement and would be happy to provide this on request. We are also happy to review your own agreement proposal should you wish.

In any case we will assist you, where required, to support you as a Data Controller where we are a Processor, or you as a Data Subject where we are the Controller.

Cerberus’ Commitments:
We commit to follow all applicable EU & UK laws.

  • We will only process your data as is required to quote for, provide, support and bill your services with us.
  • We will only market to existing customers, or to 3rd party contacts where we there is demonstrable consent.
  • We will not share data with 3rd parties for any purpose other than quoting for new services, providing, supporting, or billing the service for which you contracted with us.
  • We will not sell your data.

If you are the Data Controller and we need to use sub-processors to provide the service, this will be carried out in line with GDPR rules and agreed at the point of contract, or with your written permission thereafter. We would only consider sub-processors with similar security levels to our own.

We currently have 6 main sub-contractors involved with your data who may be considered sub-processors depending on the circumstances:

  • BT Wholesale provide the bulk of our broadband services, they also provide some support services, and Ethernet Leased Lines.
  • TalkTalk Business provide some broadband services, Telephone lines and Ethernet Leased Lines.
  • Smart Debit (a trading name for Payment Solutions) process our Direct Debit collections from our customers on our behalf. Smart Debit store your payment data securely on encrypted disks, in locked cabinets in EU datacentres. Smart Debit are ISO27001:2013 accredited.
  • We have a company in India who host technical support, operations support and software development staff. Cerberus’ UK management team is responsible for hiring, training and managing these staff and they work as an integral part of our company, although legally they are employed by the Indian host company. Minimal data are transferred to India. No payment data are ever transferred. All data transferred to India is done with appropriate safeguards and meets the requirements set out in Chapter V of the GDPR.
  • Gamma Telecom provide IP Telephony and Fixed Line Telephony Services.
  • Experian provide credit checking services which Cerberus use to assess a company or individual’s credit worthiness when becoming a customer.
  • We will implement appropriate technical and organisational measures to protect data.
  • We will inform you promptly of any breach.

Rights under GDPR
Under GDPR Individuals have 8 rights. Cerberus will respect these rights.

  1.  The right to be informed. The purpose of this right is to allow individuals to obtain information on how and why you’re processing their personal data. This is typically done through our Privacy Notice and notices like the one you are reading now.
  2. The right of access. The purpose of this right is to allow individuals’ access to their personal data to enable them to know what data we hold and to verify the lawfulness of the processing. If you wish to do this please see “Accessing my Data” later in this document.
  3. The right of rectification. This is also referred to as the right to have information corrected. Individuals have a right to have their data corrected if it’s inaccurate or incomplete. The data subject has the right to know who the information has been shared with. See “Correcting my Data” later in this document.
  4. The right to erasure. This right is also known as the right to be forgotten. Basically, individuals can request to have their data removed or deleted when there’s no reason to continue processing it. We will also inform third parties, that we may have sent their data to, that we’re erasing it, unless it’s impossible or will involve a disproportionate effort. Individuals are entitled to know the identity of the third parties. However, this is not an absolute right and only applies under specific circumstances, including:
    a. Where processing data is no longer necessary for the purpose it was first collected.
    b. When an individual has objected to having their data processed and there is no overriding legitimate interest for continuing the processing;
    c. When an individual has withdrawn consent;
    d. If the data was unlawfully processed (i.e. in breach of GDPR);
    e. The personal data has to be erased in order to comply with a legal obligation;
    f. The personal data is processed in relation to the offer of information society services to a child.

Should you wish to request erasure please see “Requesting Erasure” later in this document.

5. The right to restrict processing. Individuals have the right to block or suppress the processing of their data in certain circumstances. This right applies in the following situations:
a. Where an individual contests the accuracy of the personal data, you should restrict processing until accuracy is verified;
b. When an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and you are considering whether your organisation’s legitimate grounds override those of the individual;
c. When processing is unlawful and the individual opposes erasure and requests restriction instead;
d. If you no longer need the data, but the individual needs it to establish, exercise or defend a legal claim.

Should you wish to restrict processing please see “Restricting Processing” later in this document.

6. The right to data portability. This right allows individual to obtain and safely reuse their data across different services for their own purposes. For example, consumers using their data on a price comparison website, or to help understand their spending habits.

Should you wish to obtain your data please see “Accessing my Data” later in this document.

7. The right to object. Where processing of your data is taking place under certain purposes but no legitimate reason exists for this, you have the right to object. Please see “Objecting to Processing” below.

8. Rights in relation to automated decision making and profiling.

An Individual has the right not to be subject to a business’s automatic decision making in certain circumstances. This right applies when it’s:

  • Based on automated processing (making a decision solely by automated means without any human involvement);
  • Profiling (automated processing of personal data to evaluate certain things about an individual).

There are additional rules to protect individuals where solely automated decision-making that has legal or similarly significant effects on them. This is only allowed where:

  • Necessary for the entry into or performance of a contract; or
  • Authorised by Union or Member state law applicable to the controller; or
  • Based on the individual’s explicit consent.

Cerberus use Experian to provide credit scores for new customers. Where the score is good account setup usually proceeds. Where the score is not good it is always reviewed by management and mitigating factors considered.

Accessing my Data
All customers have access to Cerberus’ portal, NetCONNECT. This portal provides access to much of an Individual’s information, but it may not be complete. Should you wish to access information not available through NetCONNECT, or do not wish to use NetCONNECT you should make your request in writing to:

governance@cerberusnetworks.co.uk or by post to: Governance Team, Cerberus Networks Ltd, 9 Walmgate Road, Greenford, UB6 7LH.

We will need to verify your identity by reasonable means. You can provide your phone number and we will contact you to ask you security questions to which we will record and check your responses. Or you can provide two sources of Identification: for example a copy of your driving license, passport, utility bill or credit card statement.

If we process a large volume of information about the subject, we have the right to ask you to be specific and in any case we would appreciate your request be as specific as possible.

When you make your request please specify whether you would like the information in a human readable format, or whether you are invoking your right to data portability and require machine readable data. If you have a specific requirement for file format (for instance CSV, JSON, XML), or structure, please include this in your request and we will attempt to meet your requirement where possible, otherwise we will use our discretion.

We will respond to any reasonable request within 1 month. Please note that if you make a complex request we may legally extend our period of compliance by a further 2 months.

If we believe that your request is manifestly unfounded or excessive, particularly if the request is repetitive, we can charge you a reasonable free which takes into account our costs in providing information to you, or we may refuse to respond.

If we refuse your request you have the right to complain to the Information Commissioners Office, or bring a complaint before a court.

Correcting my Data
In many cases an individual can correct their data themselves through the NetCONNECT portal. If the data you wish to correct are not available in the portal, or you do not wish to use the portal you may contact us using the same process as in the section on Accessing my Data. As with access we will verify your identity before making changes.

We will carry out reasonable requests within 1 month. If your request is complex this can be extended by a further 2 months.

If we refuse your request you have the right to complain to the Information Commissioners Office, or bring a complaint before a court.

Requesting Erasure
If you wish to request erasure please contact us using the same process as in the section on Accessing my Data. As with access we will verify your identity before making changes.

In certain circumstances, we can refuse a request to erase an individual’s data. This applies where personal data is processed for the following reasons:

• To comply with a legal obligation for performing a task that’s been carried out in the public’s interest;
• For public health purposes in the public interest;
• The exercise or defence of legal claims.

Restricting Processing
If you wish to restrict processing of your data please contact us using the same process as in the section Accessing my Data. As with access we will verify your identity before making changes.

When processing is restricted, we’re allowed to store that data but not process it any further. We can also retain enough information to ensure a restriction is respected.

Objecting to Processing
If you wish to restrict processing of your data please contact us using the same process as in the section on Accessing my Data. As with access we will verify your identity.

An individual has the right to object to their data being processed. This is concerned with processing being based on three areas:

  1. Legitimate interest, or performing a task in the public interest or an exercise of official authority, including profiling;
  2. Direct marketing;
  3. For purposes of scientific/historical research and statistics.

Each of the three areas carries different rights. When processing for legitimate interest, we should stop unless:
• The processing is being done to establish or defend a legal claim; or
• We can demonstrate there are legitimate grounds for it, which overrides an individual’s interests and rights.

In cases of legitimate interest and direct marketing, the individual has a right to object to processing when we first communicate with them and in our Privacy Notice. We will stop processing data for direct marketing purposes as soon as we receive an objection and deal with it free of charge.

Individuals who object to processing that is based on research should have “grounds relating to their particular situation” to exercise this right. When processing concerns research, we’re not required to comply with an objection where the processing is necessary for the performance of a public interest task.

Pin It on Pinterest

Share This

Share This

Share this article with the world